Home / malware Win32.Worm.Stration.BB@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Stration.BB@mm.
Explanation :
This threat arrives via e-mail. The format of the e-mail is as follows:
Subject: (any of the following)
Error
Good day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
Body:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
or
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
Attachment:
The attachment has different formats. It is either:
Update-KB<%random%>-x86.exe or Update-KB<%random%>-x86.zip
(eg: Update-KB8328-x86.exe)
or composed from strings:
STR1:
body
data
doc
docs
document
file
message
readme
test
text
STR2
dat
elm
log
msg
txt
STR3
bat
cmd
exe
pif
scr
Composed: STR1.STR2.STR3 or STR1.zip
(eg: data.txt.pif, body.msg.exe, docs.zip)
Once the attachment has been run, the worm opens a Notepad window
containing garbage, creates the aforementioned files and registry keys
(see Symptoms) and starts searching for e-mail addresses which will be
stored in file SERV.WAX
It also terminates processes containing:
alunotify
wuauserv
drwebupw
nod32krn
wuauclt1
upgrader
mcupdate
NOD32krn
autodown
spiderml
avgupsvc
avginet
sndsrvc
ndetect
SNDSrvc
aupdate
wupdmgr
wuauclt
luinit
kavsvc
lsetup
lucoms
kavsvc
tbmon
luall
It has a list of urls from which it attempts to download an update. If a file
is present on any of those urls the worm downloads and executes it.
Once the e-mail harvesting is done, it attempts to send itself to those e-mail addresses.Last update 21 November 2011
